The Auditors Are Coming: Cybersecurity

At the halfway point in 2015, many small financial service firms are struggling to meet the much stricter FINRA Cybersecurity rules that were mandated last year and then further discussed during the Cybersecurity Roundtable sponsored by the SEC.

In particular, many small firms that have their IT managed by small, independent Managed Service Providers (MSP’s) are getting caught short when the auditors come calling. The utter failure of many MSP’s to provide clear and concise policies and procedures for their clients to manage their technology, will prove to be a costly and time consuming undertaking for many investment firms in this tighter regulatory environment.

The Cybersecurity Regulations underline – with a very clear stroke – the importance of regular, defined review and clearly written response plans for an organization’s technology management. Bringing a competent, experienced IT consulting firm on board to assist with the preparation of these policies and procedures is critical in maintaining a coherent technology stance going into the second half of the year.

The LCO Group has over 20+ years of financial service experience, and assigns high level personnel to work on the creation of these policies, using proven templating and structured response methodology. Additionally, if a firm’s current MSP is unable to implement some

of the higher level security controls that are created, The LCO Group can assign appropriate engineering staff to ensure that the policies are adhered to.

Cybersecurity a Top SEC and FINRA Examination Priority in 2015

Cybersecurity will receive increased scrutiny from regulators in the year ahead. While larger firms have already implemented information security programs, many small and mid-size shops are neither sufficiently prepared for a cybersecurity breach nor the questions that the examiners will be asking them.

As in past years, the SEC and FINRA (as well as other regulators) released their examination priorities for 2015 in early January. Compliance and legal professionals can now pore over the language of these priorities to assess where their firms need to focus in the coming year. While there may be more than one candidate for top honors, cybersecurity has emerged as one of the top areas that will receive increased scrutiny from regulators in the year ahead.

SEC Examination Priorities

To understand what has changed, we can look back to the priorities published in 2014. When the SEC’s Office of Compliance, Inspections and Examinations (OCIE) published its National Exam Program Examination Priorities 2014, it listed “Technology” as a National Examination Priority (NEP) initiative. Within the description of “Technology” it merely listed “information security” as an area that would continue to be examined.

Their focus, however, increased just a couple of months later after the SEC sponsored a Cybersecurity Roundtable. Within a couple of weeks following the Cybersecurity Roundtable, the SEC published its OCIE Cybersecurity Initiative NEP Risk Alert

that included a sample request for information that OCIE might use in conducting information security examinations of an initial group of 50 registered brokers and investment advisers. In the months that followed, investment adviser clients reported that these examinations had indeed extended beyond the initial group.

To make sure your organization is in compliance with cybersecurity guidelines: